000034195 - RSA SecOps Linux Splunk Integration not outuputting Alerts

Document created by RSA Customer Support Employee on Oct 24, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034195
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.3.1
Platform: Windows
 
IssueLinux Splunk integrated with Archer via SecOps 1.3.1.  SecOps service is up and running on Splunk. Query returns results in Splunk, but there is no output.
CauseSecOps service logs contain the following warning:
com.rsa.archer.solutions.splunk.SplunkServiceHandler parseMessage
WARNING: There are no CEF messages present in the generated alert. No data sent to RCF.

Note: SecOps service logs are located in the following path:
/opt/rsa/secops/logs
Resolution
  1. Obtain the .csv results by navigating to:
    /opt/splunk/var/run/splunk/dispatch/rt_schedule__admin_ssearch_XXXXXXXXXX_at_XXXXXXX_XXX.XX/results.csv.gz

  2. Open file with Excel or similar editor to view the delimited data. 
  3. Check the "_raw" data column and ensure this is populated with data.
  4. If there is no "RAW" data, then no Security Alert will be output.  The SecOps Service is specifically looking for RAW data for the output.
  5. Confirm the Splunk Query is returning the needed data.
 

Attachments

    Outcomes